CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2022-0829 – Improper Authorization in webmin/webmin
https://notcve.org/view.php?id=CVE-2022-0829
Improper Authorization in GitHub repository webmin/webmin prior to 1.990. Una Autorización Inapropiada en el repositorio de GitHub webmin/webmin versiones anteriores a 1.990 • https://github.com/webmin/webmin/commit/eeeea3c097f5cc473770119f7ac61f1dcfa671b9 https://huntr.dev/bounties/f2d0389f-d7d1-4f34-9f9d-268b0a0da05e https://notes.netbytesec.com/2022/03/webmin-broken-access-control-to-post-auth-rce.html • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 96%CPEs: 1EXPL: 8CVE-2022-0824 – Improper Access Control to Remote Code Execution in webmin/webmin
https://notcve.org/view.php?id=CVE-2022-0824
Improper Access Control to Remote Code Execution in GitHub repository webmin/webmin prior to 1.990. Un Control de Acceso Inapropiado para una Ejecución de Código Remota en el repositorio de GitHub webmin/webmin versiones anteriores a 1.990 • https://www.exploit-db.com/exploits/50809 https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell https://github.com/pizza-power/golang-webmin-CVE-2022-0824-revshell https://github.com/honypot/CVE-2022-0824 http://packetstormsecurity.com/files/166240/Webmin-1.984-Remote-Code-Execution.html http://packetstormsecurity.com/files/169700/Webmin-1.984-File-Manager-Remote-Code-Execution.html https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38 https://huntr.dev/bounties/d0049a96-de • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 3CVE-2020-35606 – Webmin 1.962 - 'Package Updates' Escape Bypass RCE
https://notcve.org/view.php?id=CVE-2020-35606
Arbitrary command execution can occur in Webmin through 1.962. Any user authorized for the Package Updates module can execute arbitrary commands with root privileges via vectors involving %0A and %0C. NOTE: this issue exists because of an incomplete fix for CVE-2019-12840. Una ejecución de comandos arbitraria puede ocurrir en Webmin versiones hasta 1.962. Cualquier usuario autorizado para el módulo Package Updates puede ejecutar comandos arbitrarios con privilegios root por medio de vectores que involucran %0A y %0C. • https://www.exploit-db.com/exploits/49318 http://packetstormsecurity.com/files/160676/Webmin-1.962-Remote-Command-Execution.html https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.html https://www.webmin.com/download.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12670
https://notcve.org/view.php?id=CVE-2020-12670
XSS exists in Webmin 1.941 and earlier affecting the Save function of the Read User Email Module / mailboxes Endpoint when attempting to save HTML emails. This module parses any output without sanitizing SCRIPT elements, as opposed to the View function, which sanitizes the input correctly. A malicious user can send any JavaScript payload into the message body and execute it if the user decides to save that email. Se presenta una vulnerabilidad de tipo XSS en Webmin versiones 1.941 y anteriores, afectando a la función Save del Endpoint Read User Email Module / mailboxes cuando se intenta guardar correos electrónicos HTML. Este módulo analiza cualquier salida sin sanear los elementos SCRIPT, a diferencia de la función View, que sanea la entrada correctamente. • https://www.webmin.com/security.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8821
https://notcve.org/view.php?id=CVE-2020-8821
An Improper Data Validation Vulnerability exists in Webmin 1.941 and earlier affecting the Command Shell Endpoint. A user may enter HTML code into the Command field and submit it. Then, after visiting the Action Logs Menu and displaying logs, the HTML code will be rendered (however, JavaScript is not executed). Changes are kept across users. Se presenta una vulnerabilidad de Comprobación de Datos Inapropiada en Webmin versiones 1.941 y anteriores, afectando al Endpoint Command Shell. • https://www.webmin.com/security.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •